Notices by Soatok Dreamseeker (soatok@furry.engineer)

A short list of things I do not give a single fuck about and never, ever want to hear evangelized in my mentions:

1. Generative AI
2. Cryptocurrency
3. Drug use
4. DNSSEC / DANE
5. Messaging apps that claim to be more secure that Signal but have worse cryptography
6. Religion

I don't care. I don't care. I don't fucking care.

You do you. Leave me out of it.

The empty string is the prefix to every other string.

Therefore, you cannot add domain separation by doing this:

This somehow surprises RFC authors.

https://github.com/lamps-wg/draft-composite-sigs/issues/87

What To Use Instead of PGP

It's been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they should be doing. It isn't. The part of the free and open source software community that thinks PGP is just dandy are the same kind of people that happily use…

http://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

A while ago, I announced that I was going to build #E2EE for the Fediverse, so that we might have private direct messaging.

Then I stumbled over the lack of available tooling for Key Transparency in a federated environment. So I started working on a specification for a Public Key Directory server.

I'm happy to announce that I finally have all my ideas on paper.

https://github.com/fedi-e2ee/public-key-directory-specification/tree/main

This specification is not complete. It still needs:

1. Additional rounds of copy-editing, to ensure terms are consistent and easily understood.
2. Peer review, especially from cryptography experts.
3. A reference implementation.
4. Machine-verifiable security proofs of the security of the protocols described.
5. More peer review.
6. Third-party testing of the reference implementation.
7. Other people's ideas.

That last one is optional, but if anyone identifies an opportunity to make this project more successful, I'd love to hear it.

#fediblock wanderingwires.net their software doesn't honor when a post is deleted, even months later, and their users are reply guys

Open offer for the developers of period-tracking apps and whatnot:

I will help you deploy the appropriate cryptography to proactively protect your users from a hostile government subpoena. After all, you can't surrender data you don't have.

Get in touch here or via email.
https://soatok.blog/about

I hate needing a phone number to function in life.

Having a phone number means unsolicited phone calls.

Having a phone number means unsolicited text messages, often from political organizations asking for money...so they can continue to spam people. And it's not illegal to spam people if it's for political reasons.

But too many systems demand you have one. Employee management software, government agencies, etc. all demand you have one. So you gotta have one.

I'd rather everyone just email me instead. At least, on my desktop, I can setup inbox filters to get rid of crap I don't want without ever needing to see it.

I hate video content. Not because I'm worried about media codec 1-click 0days, but because I read faster than people talk and am sure of what I read (but not always what I heard).

My aversion to unsolicited QR codes is similar

@feld @gsuberland @jkmcnk Because one-time-pads don't offer protection against chosen-ciphertext attack.

@feld @gsuberland @jkmcnk I think this is asking the wrong question

Building PFS into a protocol costs almost nothing and makes security proofs easier, simplifies analysis, and lets us focus on other areas of the attack surface.

PFS should be the default for any protocol designed after the 1990s, and any design that doesn't include it should justify their choice to exclude it, rather than the converse.

@feld @gsuberland @jkmcnk Making things ephemeral eliminates so many attack vectors. Long-lived secrets are undesirable.

@jkmcnk @gsuberland Didn't Session also remove forward security?

Session be like

"We're metadata-resistant. Also, we recently passed the 1 million user milestone. Don't ask how we distinguish unique users!"

https://www.404media.co/email/9ee8f6a1-348a-4fb1-b1b3-30c8898d7581/?ref=daily-stories-newsletter

If you miss what Twitter used to be, BlueSky is mostly that.

(It still needs locked accounts to be 1:1.)

If your experience with Twitter consisted a lot of Wishing Things Were Different, the Fediverse is a better fit for you.

That's how I've interpreted people's opinioms so far.

The Continued Trajectory of Idiocy in the Tech Industry

Every hype cycle in the technology industry continues a steady march towards a shitty future that nobody wants. CMYKat The Road to Hell Once upon a time, everyone was all hot and bothered about Big Data: Having lots of information--far too much to process with commodity software--was supposed to magically transform business. How do you build technology that can process that much information at scale?

http://soatok.blog/2024/09/18/the-continued-trajectory-of-idiocy-in-the-tech-industry/

E2EE for the Fediverse Update – We’re Going Post-Quantum

In 2022, I wrote about my plan to build end-to-end encryption for the Fediverse. The goals were simple: Provide secure encryption of message content and media attachments between Fediverse users, as a new type of Direct Message which is encrypted between participants. Do not pretend to be a Signal competitor. The primary concern at the time was "honest but curious" Fediverse instance admins who might snoop on…

https://soatok.blog/2024/09/13/e2ee-for-the-fediverse-update-were-going-post-quantum/

Most people who have heard of Kamala Harris' plan to tax unrealized capital gains were not told about the scope of the proposal.

https://www.nbcnews.com/business/taxes/harris-plans-tax-unrealized-stock-gains-only-people-100-million-rcna168819

They don't know it only applies to people worth over $100 million.

They don't know it wouldn't apply to real estate at all.

I've listened to many conversations about how bad it would screw over first time homebuyers... based on the media's lies through omission.

Emphasize these details when you discuss them. Remind people of those conditions, and that it's not a tax that will hurt poor or middle class Americans.

PSA - don't do this:

1. https://ghostarchive.org/archive/L4l1M
2. https://ghostarchive.org/archive/oDeCl

Don't demand someone explain side-channel cryptanalysis, call an attack that recovers a full plaintext for a target message a "nothing-burger", bark demands at the other person, then continue to harass them after they tell you to stop.

This is apparently acceptable behavior to the Matrix community.

Seeing FurAffinity get hacked by fucking crypto scammers is sickening

This Matrix story just keeps getting worse.

https://news.ycombinator.com/item?id=41249371

https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/#addendum-2024-08-14